config: add new settings to documentation and example config file

Signed-off-by: Steffen Vogel <post@steffenvogel.de>

docs/configuration.md

@@ -16,28 +16,40 @@ A full overview is available in its [manpage](./usage/md/cunicu_daemon.md).
 Alternatively a configuration file can be used for a persistent configuration:
 
 ```yaml title="cunicu.yaml"
-# An interval at which cunicu will periodically check for added, removed or modified WireGuard interfaces.
+# An interval at which cunicu will periodically check for added,
+# removed or modified WireGuard interfaces.
 watch_interval: 1s
 
-
+## Signaling backends
+#
+# These backends are used for exchanging control-plane messages
+# between the peers.
+# E.g. ICE candidates, Peer information
 backends:
-- grpc://localhost:8080?insecure=true&skip_verify=true
-- k8s:///path/to/your/kubeconfig.yaml?namespace=default
+- grpc://signal.cunicu.li
+# - grpc://localhost:8080?insecure=true&skip_verify=true
+# - k8s:///path/to/your/kubeconfig.yaml?namespace=default
 
 
 # RPC control socket settings
 rpc:
+  # Path to a Unix socket for management
+  # and monitoring of the cunicu daemon.
   socket: /var/run/cunicu.sock
 
-  # Start of cunicu daemon will block until its unblocked via the control socket
+  # Start of cunicu daemon will block until
+  # its unblocked via the control socket.
   # Mostly useful for testing automation
   wait: false
 
 
 ## Hook callbacks
 #
-# Hook callback can be used to invoke subprocesses or web-hooks on certain events within cunicu.
+# Hook callback can be used to invoke subprocesses
+# or web-hooks on certain events within cunicu.
 hooks:
+
+# An 'exec' hook spawn a subprocess for each event.
 - type: exec
   command: ../../scripts/hook.sh
 
@@ -51,15 +63,16 @@ hooks:
   env:
     COLOR: "1"
 
+# A 'web' hook performs HTTP requests for each event.
 - type: web
 
   # URL of the webhook endpoint
   url: https://my-webhook-endpoint.com/api/v1/webhook
   
-  # HTTP method of request
+  # HTTP method of the request
   method: POST
 
-  # Pass additional HTTP headers.
+  # Additional HTTP headers which are used for the requests
   headers:
     User-Agent: ahoi
     Authorization: Bearer XXXXXX
@@ -70,18 +83,93 @@ hooks:
 # using the 'interfaces' settings (see below).
 # The following settings will be used as default.
 
-# WireGuard settings
-wireguard:  
-  # Create WireGuard interfaces using bundled wireguard-go Userspace implementation
-  # This will be the default if there is no WireGuard kernel module present.
+## WireGuard interface settings
+#
+# These settings configure WireGuard specific settings
+# of the interface.
+wireguard:
+  # A base64 private key generated by wg genkey.
+  # Will be automatically generated if not provided.
+  private_key: KLoqDLKgoqaUkwctTd+Ov3pfImOfadkkvTdPlXsuLWM=
+
+  # Create WireGuard interfaces using bundled wireguard-go
+  # user space implementation. This will be the default
+  # if there is no WireGuard kernel module present.
   userspace: false
 
-  # Port range for ListenPort setting of newly created WireGuard interfaces
-  # cunicu will select the first available port in this range.
+  # A range constraint for an automatically assigned
+  # selected listen port.
+  # If the interface has no listen port specified, cunicu
+  # will use the first available port from this range.
   listen_port_range:
     min: 52820
     max: 65535
 
+  # A 16-bit port for listening. Optional;
+  # If not specified, first available port from listen_port_range
+  # will be used.
+  listen_port: 51825
+
+  # A 32-bit fwmark for outgoing packets which can be used
+  # for Netfilter or TC classification.
+  # If set to 0 or "off", this option is disabled.
+  # May be specified in hexadecimal by prepending "0x". Optional.
+  fwmark: 0x1000
+
+  # A list of peers.
+  peers:
+    
+  - # A base64 public key calculated by wg pubkey from a private key,
+    # and usually transmitted out of band
+    # to the author of the configuration file.
+    public_key: FlKHqqQQx+bTAq7+YhwEECwWRg2Ih7NQ48F/SeOYRH8=
+    
+    # A base64 preshared key generated by wg genpsk.
+    # Optional, and may be omitted.
+    # This option adds an additional layer of symmetric-key
+    # cryptography to be mixed into the already existing
+    # public-key cryptography, for post-quantum resistance.
+    preshared_key: zu86NBVsWOU3cx4UKOQ6MgNj3gv8GXsV9ATzSemdqlI=
+
+    # An endpoint IP or hostname, followed by a colon,
+    # and then a port number. This endpoint will be updated
+    # automatically to the most recent source IP address and
+    # port of correctly authenticated packets from the peer.
+    endpoint: vpn.example.com:51820
+
+    # A time duration, between 1 and 65535s inclusive, of how
+    # often to send an authenticated empty packet to the peer
+    # for the purpose of keeping a stateful firewall or NAT mapping
+    # valid persistently. For example, if the interface very rarely
+    # sends traffic, but it might at anytime receive traffic from a
+    # peer, and it is behind NAT, the interface might benefit from
+    # having a persistent keepalive interval of 25 seconds.
+    # If set to 0 or "off", this option is disabled.
+    # By default or when unspecified, this option is off.
+    # Most users will not need this. Optional.
+    persistent_keepalive: 120s
+
+    # A comma-separated list of IP (v4 or v6) addresses with
+    # CIDR masks from which incoming traffic for this peer is
+    # allowed and to which outgoing  traffic for this peer is directed.
+    # The catch-all 0.0.0.0/0 may be specified for matching
+    # all IPv4 addresses, and ::/0 may be specified for matching
+    # all IPv6 addresses. May be specified multiple times.
+    allowed_ips:
+    - 192.168.5.0/24
+
+## Auto configuration
+#
+autocfg:
+  # The Maximum Transfer Unit of the WireGuard interface.
+  mtu: 1420
+
+  # IPv4 / IPv6 addresses for the WireGuard interface.
+  addresses:
+  - 10.10.0.1/24
+
+  # Assign link-local addresses to the WireGuard interface.
+  link_local: true
 
 ## Config file synchronization
 #
@@ -122,6 +210,9 @@ rtsync:
 hsync:
   enabled: true
 
+  # The domain name which is appended to each of the peer host names
+  domain: wg-local
+
 
 ## Peer discovery
 #
@@ -129,6 +220,15 @@ hsync:
 pdisc:
   enabled: true
 
+  # The hostname which gets advertised to remote peers
+  hostname: my-node
+
+  # Networks which are reachable via this peer and get advertised to remote peers
+  # These will be part of this interfaces AllowedIPs at the remote peers.
+  networks:
+  - 192.168.1.0/24
+  - 10.2.0.0/24
+
   # A list of WireGuard public keys which are accepted peers
   # If not configured, all peers will be accepted.
   whitelist:
@@ -245,15 +345,11 @@ epdisc:
 # Keys which are not a glob(8) pattern, will be created as new interfaces if
 # they do not exist already in the system.
 interfaces:
-  # 
-  \*:
-    cfgsync:
-      path: /some/special/wireguard/config-dir/
-
   # A simple interface specific setting
   # cunicu will set the private key of interface 'wg0' to the provided value.
   wg0:
-    private_key: kODOmlTNhYbF9htW3uYiE1qKuvBnJKd7MFvaookGd14=
+    epdisc:
+      enabled: false
 
   # No settings are overwritten. But since this is not a glob pattern,
   # A new interface named 'wg1' will be created if it does not exist yet.

etc/cunicu.yaml

@@ -1,25 +1,37 @@
-# An interval at which cunicu will periodically check for added, removed or modified WireGuard interfaces.
+# An interval at which cunicu will periodically check for added,
+# removed or modified WireGuard interfaces.
 watch_interval: 1s
 
-
+## Signaling backends
+#
+# These backends are used for exchanging control-plane messages
+# between the peers.
+# E.g. ICE candidates, Peer information
 backends:
-- grpc://localhost:8080?insecure=true&skip_verify=true
-- k8s:///path/to/your/kubeconfig.yaml?namespace=default
+- grpc://signal.cunicu.li
+# - grpc://localhost:8080?insecure=true&skip_verify=true
+# - k8s:///path/to/your/kubeconfig.yaml?namespace=default
 
 
 # RPC control socket settings
 rpc:
+  # Path to a Unix socket for management
+  # and monitoring of the cunicu daemon.
   socket: /var/run/cunicu.sock
 
-  # Start of cunicu daemon will block until its unblocked via the control socket
+  # Start of cunicu daemon will block until
+  # its unblocked via the control socket.
   # Mostly useful for testing automation
   wait: false
 
 
 ## Hook callbacks
 #
-# Hook callback can be used to invoke subprocesses or web-hooks on certain events within cunicu.
+# Hook callback can be used to invoke subprocesses
+# or web-hooks on certain events within cunicu.
 hooks:
+
+# An 'exec' hook spawn a subprocess for each event.
 - type: exec
   command: ../../scripts/hook.sh
 
@@ -33,15 +45,16 @@ hooks:
   env:
     COLOR: "1"
 
+# A 'web' hook performs HTTP requests for each event.
 - type: web
 
   # URL of the webhook endpoint
   url: https://my-webhook-endpoint.com/api/v1/webhook
   
-  # HTTP method of request
+  # HTTP method of the request
   method: POST
 
-  # Pass additional HTTP headers.
+  # Additional HTTP headers which are used for the requests
   headers:
     User-Agent: ahoi
     Authorization: Bearer XXXXXX
@@ -52,18 +65,93 @@ hooks:
 # using the 'interfaces' settings (see below).
 # The following settings will be used as default.
 
-# WireGuard settings
-wireguard:  
-  # Create WireGuard interfaces using bundled wireguard-go Userspace implementation
-  # This will be the default if there is no WireGuard kernel module present.
+## WireGuard interface settings
+#
+# These settings configure WireGuard specific settings
+# of the interface.
+wireguard:
+  # A base64 private key generated by wg genkey.
+  # Will be automatically generated if not provided.
+  private_key: KLoqDLKgoqaUkwctTd+Ov3pfImOfadkkvTdPlXsuLWM=
+
+  # Create WireGuard interfaces using bundled wireguard-go
+  # user space implementation. This will be the default
+  # if there is no WireGuard kernel module present.
   userspace: false
 
-  # Port range for ListenPort setting of newly created WireGuard interfaces
-  # cunicu will select the first available port in this range.
+  # A range constraint for an automatically assigned
+  # selected listen port.
+  # If the interface has no listen port specified, cunicu
+  # will use the first available port from this range.
   listen_port_range:
     min: 52820
     max: 65535
 
+  # A 16-bit port for listening. Optional;
+  # If not specified, first available port from listen_port_range
+  # will be used.
+  listen_port: 51825
+
+  # A 32-bit fwmark for outgoing packets which can be used
+  # for Netfilter or TC classification.
+  # If set to 0 or "off", this option is disabled.
+  # May be specified in hexadecimal by prepending "0x". Optional.
+  fwmark: 0x1000
+
+  # A list of peers.
+  peers:
+    
+  - # A base64 public key calculated by wg pubkey from a private key,
+    # and usually transmitted out of band
+    # to the author of the configuration file.
+    public_key: FlKHqqQQx+bTAq7+YhwEECwWRg2Ih7NQ48F/SeOYRH8=
+    
+    # A base64 preshared key generated by wg genpsk.
+    # Optional, and may be omitted.
+    # This option adds an additional layer of symmetric-key
+    # cryptography to be mixed into the already existing
+    # public-key cryptography, for post-quantum resistance.
+    preshared_key: zu86NBVsWOU3cx4UKOQ6MgNj3gv8GXsV9ATzSemdqlI=
+
+    # An endpoint IP or hostname, followed by a colon,
+    # and then a port number. This endpoint will be updated
+    # automatically to the most recent source IP address and
+    # port of correctly authenticated packets from the peer.
+    endpoint: vpn.example.com:51820
+
+    # A time duration, between 1 and 65535s inclusive, of how
+    # often to send an authenticated empty packet to the peer
+    # for the purpose of keeping a stateful firewall or NAT mapping
+    # valid persistently. For example, if the interface very rarely
+    # sends traffic, but it might at anytime receive traffic from a
+    # peer, and it is behind NAT, the interface might benefit from
+    # having a persistent keepalive interval of 25 seconds.
+    # If set to 0 or "off", this option is disabled.
+    # By default or when unspecified, this option is off.
+    # Most users will not need this. Optional.
+    persistent_keepalive: 120s
+
+    # A comma-separated list of IP (v4 or v6) addresses with
+    # CIDR masks from which incoming traffic for this peer is
+    # allowed and to which outgoing  traffic for this peer is directed.
+    # The catch-all 0.0.0.0/0 may be specified for matching
+    # all IPv4 addresses, and ::/0 may be specified for matching
+    # all IPv6 addresses. May be specified multiple times.
+    allowed_ips:
+    - 192.168.5.0/24
+
+## Auto configuration
+#
+autocfg:
+  # The Maximum Transfer Unit of the WireGuard interface.
+  mtu: 1420
+
+  # IPv4 / IPv6 addresses for the WireGuard interface.
+  addresses:
+  - 10.10.0.1/24
+
+  # Assign link-local addresses to the WireGuard interface.
+  link_local: true
 
 ## Config file synchronization
 #
@@ -114,6 +202,15 @@ hsync:
 pdisc:
   enabled: true
 
+  # The hostname which gets advertised to remote peers
+  hostname: my-node
+
+  # Networks which are reachable via this peer and get advertised to remote peers
+  # These will be part of this interfaces AllowedIPs at the remote peers.
+  networks:
+  - 192.168.1.0/24
+  - 10.2.0.0/24
+
   # A list of WireGuard public keys which are accepted peers
   # If not configured, all peers will be accepted.
   whitelist: